Helping people with computers... one answer at a time.

I really do love Linux, but it has a problem. A big problem that's bitten me yet again.

Listen:
Download the mp3

Transcript

In the years since I left Microsoft, I've come to appreciate and really enjoy working with Linux and many, many non Microsoft products. Don't get me wrong, I love Windows and Office and other assorted Microsoft products, but I've also come to love Linux.

I host all my sites on Linux, and manage several Linux based servers for clients.

But the Linux distros all need to take a page from the lessons Microsoft had to learn - a lesson that it took Microsoft a long, long time to get.

What am I talking about? Security.

Most default Linux installs are about as secure as, say, Windows 98. Look out on the net, and you'll find lots of laundry lists of additional steps, software and recommendations for things you need to do to your Linux installation in order to secure it from unauthorized access. A long laundry list, that's really only understood by the Linux geeks.

Some of the different pieces of software have different auto-update mechanisms, the cPanel management console, for example, or current Red Hat distributions have something called "up2date" which works, sort of. Other distros, other solutions. Maybe.

But this week I found myself wishing for Windows Update on my clients Linux box. And even an equivalent to the Windows Security Center that might offer to enable and configure my firewall for me. Perhaps an included anti-spyware tool that not only detected, but repaired, system intrusions. Even system restore points and the system file checker under Windows were all looking pretty good.

Why? Because a client's machine had been hacked into and a rootkit installed. The net result is that we'll be building out and moving to a new sever. Which will be a lengthy process as I track down all the additional components required to stay secure and build my own checklist.

In 15+ years of working with windows I've never had a server compromised. In the last two years working with Linux, I've dealt with two complete server rebuilds due to hacks.

I love Linux. Really, I do. But it still has a long way to go. Dare I say, it could learn a lesson or two from Windows.

Have a comment? I know you do. Visit askleo.info, and enter 8836 in the go to article number box. Let me know what you think, I'd love to hear from you.

This is a presentation of askleo.info, a free on-line technical question and answer service. Hundreds of questions and answers are online and ready to help solve your computer problems. New questions and answers are added daily.

That's askleo.info.

Article C2382 - July 7, 2005 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

22 Comments
mike
July 7, 2005 1:48 PM

Leo, you bring up some valid points, however we should remember that Linux is a tweakers system only. You should only have a Linux server if you know something about computers. Comming from a Windows world, you tend to expect things all wraped into one, and for it to "just work." This is not however the philosophy of Linux software. In Linus (and Unix in general) on program should do one thing right, and then let another application take the next step. So you will need to install a firewall, I would just mount one on the rack instead of using software. And, in the grand scheme of things, we should keep in the light that windows has issues as well, so if you want a computer that has less problems (aol keyword less), than mac is the only choice.

Leo
July 7, 2005 2:10 PM

Well, I guess that's my point: Linux isn't for "normal" people :-). Sadly, though, by holding to that strategy, Linux will continue to be an elitist, niche product, and less than 'l33t' users users will continue to get compromised.

Yes, you do need additional parts (small peices each doing their job well is a wonderful, wonderful, thing). I just don't see why some - if not most - of the distros don't include those parts ready to go. There's nothing I'll do to my build out that couldn't be there by default. By making it a difficult, extra step, they're allowing it to remain either, as I said, a niche platform, and/or a big security risk for folks that want to use it for the many things it's oh so good at.

KryptonianSon
July 7, 2005 2:23 PM

All I can say is you HAVE to be kidding me. It took Microsoft a long time to get security? They STILL haven't gotten it. Remote intrusion is an awfully narrow way to look at security. It must be one of the top things to consider yes, but as an IT professional I have to say, I have had nothing but security problems on Windows through browser problems etc. (Not me but customers of course, I use Firefox)

You say you have to do a laundry list of things to make Linux secure? This WAS the case with older Linux distributions. But all the tools and functions were/are included to do it. I don't have to purchase expensive software like I do on Windows to make this happen.

The only way to rely on having a secure Windows system is not to rely on Windows. You HAVE to get 3rd party software (which is usually pricey) to lock things down.

With that said, any system you buy you have to consciously ensure it is locked down. And the more you understand the security risks, and how you can be exploited, the better off you are. In fact, Windows users have to understand these things just as much (if not more due to so many holes in things like IE). You really made it sound as if you are a Windows user, there is nothing you need to do. Which is terribly irresponsible, even if you didn't mean to make it sound that way.

Linux is only as secure as Windows 98? Come on, you have to be joking. This podcast sounds as if it is purposely flame bait.

In the 8 years I have used Linux, I have had 1 machine hacked into and that was 6 years ago. I have had numerous Windows servers compromised repeatedly. My company has had the same problems as well. They have not had a single Linux box busted open in the 4 years I have been here.

This cast is obvious it is from someone who is not aware of the options available for software updates. You make it sound as if it is almost rare, and if it is there it doesn't work. Are you kidding me? Package management and updates are a dream, and frequent at that.

Everyone is of course entitled to their opinion, but to me it seems this one is based on lack of knowledge about a specific platform.

No, Linux is not for my grandma. Windows has some great features and some great software. Each have their place, and I like each of them for their own strengths. I am no Linux snob. In fact I have 2 Windows machines, 1 Linux machine, and my main machine is a G4. Linux has some problems to overcome, this is true. Windows has problems to overcome, and these I find far more serious.

I have to admit, I am so amazed by the lack of insight in this single podcast that I do not think I could rely on objective, educated insight on any other topics. I am sure you have allot of knowledge about allot of things, but based on this podcast, I simply cannot rely on the right answers. I listened to my last one.

Leo
July 7, 2005 3:01 PM

I'm sorry to lose you as a listener, but so be it.

I certainly don't mean to infer that Windows is perfect - far from it. But one of my obvious frustrations with Linux is what I consider to be a fairly myopic view by many of it's supporters that it's so much more secure than Windows. Obviously I disagree. It's insecure in different ways, of course, but still to assume that an out of the box Linux install even tries to be secure is a frustrating falacy.

My laundry list costs nothing but time. It includes things like the simple advice that so many people "just know" - turn off ftp, disable remote root login, and much more. It includes a lot of good, FREE software, such as firewalls and monitoring solutions, and a lot more. My question is not that those things aren't available, my frustration is that they're not there to begin with. Why is there not a distro that has these types of solutions in place, ready to go?

If there is, please tell me. I've been through several and have yet to find one that meets my criteria. What I have found, on several very helpful Linux community sites, are instructions to build what I want myself - the fodder for my laundry list.

Yes, I feel the same frustration that many Windows users feel. I just want it to work - I don't want to, nor do I feel I should have to - go running around to add all the utilies and tweak all the config settings to make it safe.

I stick with what I inferred: I have yet to find a truly reliable automatic update solution for any Linux distro. Redhat's subscription (for $$) is perhaps the best and what I'll be relying on in the future, and Debian's looks promising as well. But neither are perfect, and both have caused me issues in the past.

Thanks for your comments though, even if you choose to leave.

David
July 7, 2005 3:14 PM

I was just wondering what distribution of Linux you were using at the time of this incident? About the only way you can have such a security compromise is if you expose your root account and password to the outside world. This could be possible if you were running a very old distro with remote access via an unencrypted protocol or if your choice of passwords did not follow simple security precautions.

I would suggest you take a look at ClarkConnect (http://www.clarkconnect.org) if you are looking for a basic server system with all your requirements (firewall/security/services) preinstalled. If you need more than this then checkout any of Novell's (http://www.novell.com/products/linuxenterpriseserver) Linux server products or Red Hat or one of their free alternatives (http://www.centos.org/). All of this distributions have everything that you are looking for and some great support resources.

P.S. You are a brave person to hold your hand up, proclaim your love of Windows and then proceed to outline your worries about Linux security. Good luck and get in touch if you need any help :-)

KryptonianSon
July 7, 2005 3:35 PM

I have to ask, what distribution are you using and what version? Answers to both questions are important. What distribution/version were these systems that were busted into?

It has been a while (several years) since I have used a main stream Linux distribution that didn't have the firewall configuration as part of the initial installation process. Turn it on and your done, no extra work. And you can choose which ports/services you want.

Let's use Redhat as an example. If you do a desktop installation you don't get these extra daemons you are referring to. If you do a server install, then it is expected that is what you want, server software. Go in custom and don't install those services during install time. All this gets saved in your anaconda config file in /root. Anytime you want to have that configuration you can pop in a floppy (and many other ways) to grab the file and it will preserve your settings.

Now, I have used Windows since 3.0 with media extensions ( ;-) How is that for showing age heh. ) I can go back years to show that a Firewall has been included in default installations, and configuration as part of the installation. No one can say that as a track record for Windows.

You mention a "laundry list" of things that has to be done. I think it would be helpful for you to give us that list. Perhaps someone will have a good/easy solution for you so you don't have to do anything tedious. Perhaps some distro developers/maintainers will read it and a light will go on and they will fix the issues. Or, maybe there is a distribution that someone knows of that will take care of all your issues. The only way to give advice, is to know the complete problem, I am sure you would agree. If not for this reason, I think it would be important to list this out in your reply just so we have a better idea of what is causing you all this trouble.

On to software update management etc. One word, yum. It has a daemon that will take care of it all for you. And up2date works with it (well). Give that a shot. I have not had a single issue with it. I haven't had to manually update any packages in well over a year. I have had nothing but success with current version of up2date (included in Fedora). I will agree, up2date had a shaky start, but again, that was a few years ago.

Please note, that my responses are with utmost of respect. Again, I agree, we all have a right to our opinions.

Fungus
July 7, 2005 5:41 PM

This podcast is just flame-bait. There was absolutely no intelligence or valid argument to it at all.

It should have been obvious at the beginning, but I took the bait. Erg! I mean come on! Leo might know enough to secure a windows box (which requires many more steps), but doesn't have a damn clue about securing a Linux box.

Managing servers is not for idiots with "Security Centers".

Leo
July 7, 2005 6:07 PM

David: thanks for the pointers.

Absolutely the compromised systems were running old/out of date distros. (Redhat 9, which hit end-of-life). No question there.

My frustrations and issues are around the next generation that I'm building out. It'll be Redhat Enterprise. What I've seen so far indicates that it'll still take further tweaking to lock it down appropriately.

Brave? I dunno. Considering some of the other posts I'm seeing here, I'm not sure brave is the word I'd use. But I believe in raising issues and awareness, and I knew I'd learn more out of the resulting discussion (when it *is* a discussion, that is :-).

Thanks for your comments.

Leo
July 7, 2005 6:19 PM

KryptonianSon: RH9, past end of life. So the system compromise is, in hindsight, not at all unexpected. As I said to David, my frustations surround the things that still have to be done to harden the system out of the box - even current systems.

Certainly most, if not all, linux distros include ipchains/iptables - not sure if that's what you're refering to as a firewall. I *love* iptables, it's incredibly powerful - if there's a basic configuration in place out of the box, then I'll be happier. But configuring it, as I'm sure you're aware, is non-trivial. And while there are packages like APF, which looks very interesting and which I'll be looking into as a wrapper for iptables, I'd really expect that to be part of the distro these days. (If it or something like it is ... fantastic!)

As for my laundry list - yes, I do plan to publish it, actually, as I work through the build-out. But if things like "turn off ftp" and "disable remote root ssh login" still have to be on it, then I'll be quite disappointed. (Those are just simple, obvious, examples of a longer list.)

I'll absolutely be looking at YUM.

And thanks again for your comments ... they're appreciated.

Leo
July 7, 2005 6:25 PM

Fungus: sorry you feel that way. My frustations, and opinions, are genuine. Yes, yes, I know that security centers aren't neccessarily the way to manage enterprise servers ... but the example represents a basic level of functionality that, in all honesty, I found missing in Linux.

I see it as a huge lost opportunity for the Linux community to make Linux more accessible to more people by simply making the default distro more secure out of the box. My experience so far is that has not been the case.

Some of the comments I've seen so far here give me a little hope that my next experience will prove me wrong.

Thanks,

Leo

David Mohring
July 7, 2005 7:56 PM

*Sigh*. For an "expert" it's a wonder you have not heard of bastille. I have been using it for years.

http://www.bastille-linux.org/

"The Bastille Hardening program "locks down" an operating system, proactively configuring the system for increased security and decreasing its susceptibility to compromise. Bastille can also assess a system's current state of hardening, granularly reporting on each of the security settings with which it works."

"Bastille supports a number of Linux distributions and operating systems. In the RPM-focused world, it supports Fedora Core, Red Hat Enterprise, Red Hat Classic (Red Hat 6 through 9), SuSE and Mandrake systems."
http://www.bastille-linux.org/redhat.html

Compare the above instructions deploying bastille on Redhat or Suse to Microsoft's guide to securing win2k3 server.
http://go.microsoft.com/fwlink/?LinkId=14845

With it's inline documentation, Bastille is actually a lot easier for beginner and intermediate skilled administrators to deploy.


It now also includes an assessment mode, which I have found to provides a far more reliable report than Microsoft recent "security center".
http://www.bastille-linux.org/assessment.html

"This work was sponsored by the U.S. government's Technical Support Working Group (TSWG). TSWG funded the U.S. Navy's Space and Naval Warfare (SPAWAR) Systems Center San Diego to provide Bastille Linux with an auditing capability. The effort also provided for adding some additional Department of Defense hardening steps within Bastille and documentation. The project is called Fort Knox for Linux."
http://software.newsforge.com/software/05/04/19/1256244.shtml

If you stick to the packages provided in distribution, I have found both Redhat and Suse far more easier to maintain and keep up to date than either Win2k or Win2k3 servers.

Eric Standlee
July 7, 2005 8:10 PM

Leo,
As with any computer system, it is quite nearly impossible for any one person to be an expert in the security arena. I personally and corporately have been supporting Mandriva, which was Mandrake Linux.
In the initial install, you are definitely given options to default your system to completely locked down.
In my opinion, as long as your distro can be kept up-to-date (mandriva's urpmi or their club membership and proprietary update software do the job at different levels), then the shorewall/iptables solution offered defaulty on Mandriva installs should protect 90% of linux users. When holes need to be opened into the firewall, then those users should hold themselves responsible for keeping those applications up-to-date and secure.

Paul Howie
July 8, 2005 2:37 AM

SuSE linux activates the firewall at install time, you can use Yast (an exceptional graphical configuration tool) to configure it afterwards.

The desktop setup will not install any dangerous server software (turning off ftp? if you don't need it why did it ever get installed?). You can always use Yast to add and configure these packages later if you find you need them, and it will automatically open only the required ports in the firewall.

Automatic updates are handled by YOU (Yast Online Update) which can be enabled in fully automatic mode, or with a system tray icon that is green when you're up to date, yellow if non critical updates are available and red for critical updates.

I've tried many linux distros, for those who prefer to avoid the command line SuSE is my winner by a mile. Maybe you should look at that, or another Norton distro, like SLES, if you need the enterprise versions for work.

Leo
July 8, 2005 8:45 AM

Thanks Paul. In my case, I'm in the opposite camp: command line all the way. These are remotely hosted servers, and everything is via ssh, and any installed web-based control panels.

My experience with SuSE was only "OK". I personally find Debian a little more intuitive to setup and run, and more compatible with more of the hardware I had at the time I tried it all.

KryptonianSon
July 8, 2005 11:22 AM

Leo,

Everyone here seems to agree on the firewall issue, you can easily enable firewall at install time in nearly every mainstream distribution, RedHat since there 7 series if I remember correctly. You choose from a simple list of services to open up. Your done. (tweaking is always good no matter what OS you use)

I would like to encourage you to do one thing in your laundry list. Remember, when working with a distribution, that is what you are reviewing, a distribution, not Linux in general.

We have given you a list of alternative distributions to go after. If you are locked down to RedHat Enterprise or Debian, you have to write from a perspective that these don't cut it for you. Believe me, there are allot of choices, and that is the point in the Linux world. There has to be one that fits your needs. Try and be a little flexible on it.

I would highly recommend getting a system and installing all the distributions we have suggested to you. See which one fits the bill for you. I think everyone here has been helpful with giving you a good place to start. Hope it all works out for you.

KryptonianSon
July 8, 2005 11:28 AM

Oh Leo, one more thing. I noticed you mentioned you use ssh and web based control panels. I am sure you are aware of it, but I will state it anyway. Take a look at www.webmin.com. Webmin is one of the best web based control panels you can find. And it has a great developer, Jamie Cameron who is VERY responsive to feedback. It is very mature and makes allot of tasks very easy to perform, including firewall configuration. Have a look.

Leo
July 9, 2005 8:42 AM

Thanks again, KryptonianSon. In this case my customer's not really interested in learning yet another web admin tool (having been through Ensim and cPanel). We're settled on cPanel, which has done reasonably well by us, *if* you're also aware of what it *doesn't* do (which fed my frustration in the first place). I also use Plesk on one of my servers.

I've heard good things about Webmin, but I also just checked, and it's not offered by the server farm we're dealing with.

Thanks again.

georgia_tech_swagger
July 9, 2005 1:04 PM

Gentoo... add the use flag "hardened" ... and take a look at the handfull of hardening apps in portage. Portage does almost all the legwork for you.

While Gentoo is non-trivial to install... it makes almost everything post-install trivial if you use portage correctly.

Leo
July 24, 2005 7:04 PM

All: I've added an article that is the laundry list I used: http://ask-leo.com/how_should_i_set_up_my_linux_web_server.html

g que
August 23, 2005 9:18 PM

i love linux
but presently my headache was how to use ssh or telnet coz right now im using mysql database
and working inside root directory which is not common
somebody can help me to solve this problem

(im only using one computer ((server/client)itself))

or just give me some idea on how to use mysql in client side

i dont even know how to connect to server side (
im using mandrake linux 10.1

thanx

geo

Leo
August 26, 2005 8:05 PM

I guess I'm having a tough time understanding your question. Could you clarify?

yomi
April 10, 2006 3:50 AM

i have just installed a linux mandriva 2005 & i cant seem to turn it off.
the only option i have is to log out which doesnt turn off the system.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.